US6732277B1ExpiredUtility

Method and apparatus for dynamically accessing security credentials and related information

73
Assignee: ENTRUST TECHNOLOGIES LTDPriority: Oct 8, 1998Filed: Oct 8, 1998Granted: May 4, 2004
Est. expiryOct 8, 2018(expired)· nominal 20-yr term from priority
H04L 63/0442H04L 63/065
73
PatentIndex Score
83
Cited by
18
References
45
Claims

Abstract

A method and apparatus for dynamically accessing security credentials that are used to participate in a secure communication begins by obtaining virtual credentials of an entity, where the virtual credentials include a data specifier and/or an identifier. The data specifier functions as a pointer to a particular physical security credential, its data storage location, and the format of the physical security credential. The identifier functions as a pointer to secondary virtual credentials, which include at least one data specifier. The processing continues by generating physical security credentials based on the physical security credentials retrieved via the data specifiers. The processing then continues by utilizing the physical security credentials by an individual entity (e.g., a party, a server, an administrator, etc.) such that the individual entity may participate in a secured communication. If, during the secured communication, any of the physical security credentials change, the physical security credentials are updated in accordance with a synchronization record to maintain data synchronization.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
       1. A method for dynamically accessing security credentials that are used for participating in a secure communication, the method comprises the steps of: 
       a) obtaining virtual credentials associated with a source that does not contain physical security credentials of interest, that include at least one of a data specifier and an identifier;  
       b) generating, by other than the source, physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       c) utilizing the physical security credentials to participate in the secured communication.  
     
     
       2. The method of  claim 1  further comprises generating a synchronization record when at least one of the physical security credentials changed, wherein the synchronization record includes an indicator that indicates to other applications that appropriate parts of the physical security credentials are to be re-assembled. 
     
     
       3. The method of  claim 2  further comprises at least one of: 
       pushing an updated representation of the at least one of the physical security credentials to a data storage element; and  
       storing the synchronization record for subsequent updating of a data storage element.  
     
     
       4. The method of  claim 1 , wherein step (a) further comprises retrieving the virtual credentials from at least one of: a local computer, a network server database, a hardware token, and an Internet connection. 
     
     
       5. The method of  claim 1  further comprises generating the virtual credentials upon initialization of secure communication privileges. 
     
     
       6. The method of  claim 1  further comprises: 
       receiving a security identifier that identifies an individual entity, wherein the obtaining of the virtual credentials is based on the security identifier, wherein the individual entity includes a user, a machine software process, and a group of at least one of users and machine software processes.  
     
     
       7. The method of  claim 1 , wherein the physical security credentials include individual security credentials and shared security credentials and wherein the security credentials are unprotected or protected. 
     
     
       8. The method of  claim 1 , wherein step (b) further comprises generating the physical security credentials based on the data specifiers and wherein the data specifier includes at least one of: data type identifier, a primary/secondary identifier, a protocol identifier, a location identifier, a format identifier, and an identifier that the data specifiers are not available. 
     
     
       9. The method of  claim 1 , wherein the physical security credentials include realized data and virtual data, wherein the virtual data references non-copy physical security credentials. 
     
     
       10. The method of  claim 1  further comprises accessing secondary virtual credentials based on the identifier to obtain at least one secondary data specifier. 
     
     
       11. A method for dynamically accessing security credentials that are used for participating in a secure communication, the method comprises the steps of: 
       a) receiving a security identifier that identifies an individual entity;  
       b) obtaining virtual credentials, associated with a source that does not contain physical security credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       c) generating physical security credentials, other than by the source used to participate in a secured communication based on at least a portion of the virtual credentials.  
     
     
       12. The method of  claim 11  further comprises: 
       utilizing the physical security credentials to participate in the secured communication; and  
       generating a synchronization record when at least one of the physical security credentials changed during the second communication.  
     
     
       13. The method of  claim 12  further comprises generating the synchronization record by at least one of: 
       pushing an updated representation of the at least one of the physical security credentials to a data storage element; and  
       storing the synchronization record for subsequent updating of a data storage element.  
     
     
       14. The method of  claim 11 , wherein step (b) further comprises retrieving the virtual credentials from at least one of: a local computer, a network server, a hardware token, and an Internet connection. 
     
     
       15. The method of  claim 11 , wherein step (c) further comprises generating the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier that is not available. 
     
     
       16. The method of  claim 11  further comprises accessing secondary virtual credentials based on the identifier to obtain at least one secondary data specifier. 
     
     
       17. A security processing module comprises; 
       a processing module; and  
       memory operably coupled to the processing module, wherein the memory stores programming instructions that, when read by the processing module, cause the processing module to: (a) obtain virtual credentials, associated with a source that does not contain physical security credentials of interest, that include at least one of: a data specifier and an identifier; (b) generate physical security credentials used to participate in a secure communication based on at least a portion of the virtual credentials; and (c) utilize the physical security credentials to participate in the secured communication.  
     
     
       18. The security processing module of  claim 17 , wherein the memory further comprises programming instructions that cause the processing module to generate a synchronization record when at least one of the physical security credentials changed, wherein the synchronization record includes an indicator that indicates to other applications that appropriate parts of the physical security credentials are to be reassembled. 
     
     
       19. The security processing module of  claim 18 , wherein the memory further comprises programming instructions that cause the processing module to generate the synchronization record by at least one of: 
       pushing an updated representation of the at least one of the physical security credentials to a data storage element; and  
       storing the synchronization record for subsequent updating of a data storage element.  
     
     
       20. The security processing module of  claim 17 , wherein the memory further comprises programming instructions that cause the processing module to: 
       receive a security identifier that identifies an individual entity, wherein the obtaining of the virtual credentials is based on the security identifier.  
     
     
       21. The security processing module of  claim 17 , wherein the memory further comprises programming instructions that cause the processing module to retrieve the virtual credentials from at least one of: a local computer, a network server database, a hardware token, and an Internet connection. 
     
     
       22. The security processing module of  claim 17 , wherein the memory further comprises programming instructions that cause the processing module to generate the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier are not available. 
     
     
       23. The security processing module of  claim 17 , wherein the memory further comprises programming instructions that cause the processing module to access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier. 
     
     
       24. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to obtain virtual credentials, associated with a source that does not contain physical credentials of interest, that include at least one of: a data specifier and an identifier;  
       second storage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       third storage means for storing programming instruction that cause the processing module to utilize the physical security credentials to participate in the secured communication.  
     
     
       25. The digital storage medium of  claim 24  further comprises programming instructions that cause the processing module to generate a synchronization record when at least one of the physical security credentials changed, wherein the synchronization record includes an indicator that indicates to other applications that appropriate parts of the physical security credentials are to be re-assembled. 
     
     
       26. The digital storage medium of  claim 25  further comprises programming instructions that cause the processing module to generate the synchronization record by at least one of: 
       pushing an updated representation of the at least one of the physical security credentials to a data storage element; and  
       storing the synchronization record for subsequent updating of a data storage element.  
     
     
       27. The digital storage medium of  claim 24  further comprises programming instructions that cause the processing module to: 
       receive a security identifier that identifies an individual entity, wherein the obtaining of the virtual credentials is based on the security identifier.  
     
     
       28. The digital storage medium of  claim 24  further comprises programming instructions that cause the processing module retrieve the virtual credentials from at least one of: a local computer, a network server database, a hardware token, and an Internet connection. 
     
     
       29. The digital storage medium of  claim 24  further comprises programming instructions that cause the processing module to generate the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier are not available. 
     
     
       30. The digital storage medium of  claim 24  further comprises programming instructions that cause the processing module to access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier. 
     
     
       31. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to receive a security identifier that identifies an individual entity;  
       second storage means for storing programming instruction that cause the processing module to obtain virtual credentials, associated with a source that does not contain physical security credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       third storage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials.  
     
     
       32. The digital storage medium of  claim 31  further comprises programming instructions that cause the processing module to: 
       utilize the physical security credentials to participate in the secured communication; and  
       generate a synchronization record when at least one of the physical security credentials changed during the secured communication.  
     
     
       33. The digital storage medium of  claim 31  further comprises programming instructions that cause the processing module to generate the synchronization record by at least one of: 
       pushing an updated representation of the at least one of the physical security credentials to a data storage element; and  
       storing the synchronization record for subsequent updating of a data storage element.  
     
     
       34. The digital storage medium of  claim 31  further comprises programming instructions that cause the processing module to retrieve the virtual credentials from at least one of: a local computer, a network server, a hardware token, and an Internet connection. 
     
     
       35. The digital storage medium of  claim 31  further comprises programming instructions that cause the processing module to generate the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier are not available. 
     
     
       36. The digital storage medium of  claim 31  further comprises programming instructions that cause the processing module to access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier. 
     
     
       37. A method for dynamically accessing security credentials that are used for participating in a secure communication, the method comprises the steps of: 
       a) obtaining virtual credentials, associated with a source that does not contain physical credentials of interest, that include at least one of a data specifier and an identifier;  
       b) generating, by other than the source, physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials;  
       c) utilizing the physical security credentials to participate in the secured communication; and  
       d) accessing secondary virtual credentials based on the identifier to obtain at least one secondary data specifier.  
     
     
       38. A method for dynamically accessing security credentials that are used for participating in a secure communication, the method comprises the steps of: 
       a) receiving a security identifier that identifies an individual entity;  
       b) obtaining virtual credentials, associated with a source that does not contain physical credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       c) generating physical security credentials, other than by the source used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       d) generating the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier is not available.  
     
     
       39. A method for dynamically accessing security credentials that are used for participating in a secure communication, the method comprises the steps of: 
       a) receiving a security identifier that identifies an individual entity;  
       b) obtaining virtual credentials, associated with a source that does not contain physical credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       c) generating physical security credentials, other than by the source used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       d) accessing secondary virtual credentials based on the identifier to obtain to least one secondary data specifier.  
     
     
       40. A security processing module comprises; 
       a processing module; and  
       memory operably coupled to the processing module, wherein the memory stores programming instructions that, when read by the processing module, cause the processing module to: (a) obtain virtual credentials, associated with a source that does not contain physical credentials of interest, that include at least one of: a data specifier and an identifier; (b) generate physical security credentials used to participate in a secure communication based on at least a portion of the virtual credentials; (c) utilize the physical security credentials to participate in the secured communication; and (g) generate the physical security credentials based on the data specifiers having a second identifier when the physical security credentials of the data specifiers having a primary identifier are not available.  
     
     
       41. A security processing module comprises; 
       a processing module; and  
       memory operably coupled to the processing module, wherein the memory stores programming instructions that, when read by the processing module, cause the processing module to: (a) obtain virtual credentials, associated with a source that does not contain physical credentials of interest, that include at least one of: a data specifier and an identifier; (b) generate physical security credentials used to participate in a secure communication based on at least a portion of the virtual credentials; (c) utilize the physical security credentials to participate in the secured communication; and (d) access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier.  
     
     
       42. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to obtain virtual credentials associated with a source that does not contain physical credentials of interest, that include at least one of: a data specifier and an identifier;  
       second stage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials;  
       third storage means for storing programming instruction that cause the processing module to utilize the physical security credentials to participate in the secured communication; and  
       programming instructions that cause the processing module to generate the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier are not available.  
     
     
       43. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to obtain virtual credentials, associated with a source that does not contain physical credentials of interest, that include at least one of: a data specifier and an identifier;  
       second storage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials;  
       third storage means for storing programming instruction that cause the processing module to utilize the physical security credentials to participate in the secured communication; and  
       fourth storage means for storing programming instructions that cause the processing module to access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier.  
     
     
       44. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to receive a security identifier that identifies an individual entity;  
       second storage means for storing programming instruction that cause the processing module to obtain virtual credentials, associated with a source that does not contain physical credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       third storage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       fourth storage means for storing programming instructions that cause the processing module to generate the physical security credentials based on the data specifiers having a secondary identifier when the physical security credentials of the data specifiers having a primary identifier are not available.  
     
     
       45. A digital storage medium that stores programming instructions that, when read by a processing module, cause the processing module to dynamically access security credentials, the digital storage medium comprises: 
       first storage means for storing programming instruction that cause the processing module to receive a security identifier that identifies an individual entity;  
       second storage means for storing programming instruction that cause the processing module to obtain virtual credentials, associated with a source that does not contain physical credentials of interest, based on the security identifier, wherein the virtual credentials include at least one of: a data specifier and an identifier;  
       third storage means for storing programming instruction that cause the processing module to generate physical security credentials used to participate in a secured communication based on at least a portion of the virtual credentials; and  
       fourth storage means for programming instructions that cause the processing module to access secondary virtual credentials based on the identifier to obtain at least one secondary data specifier.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.